Thycotic’s Cyber Security Publication

Incident Response Plan: Are You Breach-Ready?

August 28th, 2018

It’s no longer rare to see cyber-attacks in the daily news. From ransomware to data breaches to DDoS (Distributed Denial of Service) attacks, the incident is usually attributed to either cyber criminals or nation states, and almost always comes from beyond our own country’s borders and laws.

Because of this, we worry about clicking on a web page or opening an attachment in an email, never knowing which action will result in a cyber security incident that’s going to compromise us. But we click anyway, because that’s what we do to get things done. We’re humans—we take risks.

We worry about clicking on the wrong thing, but we click anyway, to get things done

Despite the technology available to keep us safe, your organization must ultimately depend on its people to make the right security decisions. If you fail to train employees as enthusiastically as you invest in technology, you’ll always run the risk of someone clicking on the wrong thing and bringing your entire network and infrastructure to a standstill.

Below you’ll an incident response template that you can customize, a response plan for protecting privileged accounts, and lower down you’ll find my incident response checklist.

PRIVILEGED ACCOUNTS exist to enable IT professionals to manage applications, software, and server hardware, and they can be human or non-human. Privileged accounts provide administrative or specialized levels of access based on higher levels of permissions that are shared. Some privileged accounts are also application accounts used to run services requiring specific permissions. In many cases, user accounts can also have elevated or administrative privileges attached to them.

Privileged accounts must be correctly managed to minimize the risk of a security breach. However, should one of your privileged accounts become compromised, you may find yourself faced with a breach and an urgent need for an appropriate incident response.

INCIDENT RESPONSE is an organized process and structured technique for handling a cyber security incident within an organization, to manage and limit further damage. Preparing an organization-specific cyber incident response plan is an investment in your company’s cyber security, and should live on as just another item on your breach prevention to-do list.

WHEN A PRIVILEGED ACCOUNT IS COMPROMISED

When a privileged account gets compromised or stolen it gives a cyber criminal the ability to bypass almost all the traditional IT security controls, like firewalls or antivirus, that many organizations rely on to protect their most valuable assets and keep the business running. It enables the cyber criminal to impersonate a trusted employee or system and to carry out malicious activity, remaining undetected for long periods of time.

In many breaches an attacker will use privileged accounts to perform reconnaissance and learn about the IT team’s normal routines, predictable schedules, what security is in place, traffic flow, and ultimately create a blueprint of the entire network and operations. An attacker’s reconnaissance can occur from a few hours to months earlier depending on how big the target or reward is. The more an attacker learns about the target the easier it is for the attacker to blend in with normal operations, evade detection and avoid triggering any alarm thresholds set by the security team.

When your organization falls victim to a cyber-attack it is critically important you know the potential impact of the breach. That means knowing what sensitive data has been disclosed and which privileged accounts have been compromised. This will enable you to determine the potential risk to your organization, and act accordingly.

A privileged account can be the difference between experiencing a simple perimeter breach or a cyber catastrophe. Two questions I usually have when responding to an active ongoing cyber security breach are:

Do any of the systems the cyber criminal has access to contain sensitive data?

Does the cyber criminal have access to privileged accounts?

Knowing the answers to these questions enables me to determine whether the organization should focus on isolating the active breach (aka Pull the Plug), or if containment is an option (watch and learn) to learn more about the cyber criminal and their motive.

I can quickly tell if the victim has no idea how to answer the questions. That is, they do not know where sensitive data exists, nor whether they are managing and securing privileged accounts. This is a major failure in cyber security best practices. It means that during such incidents the only way forward is to quickly eradicate the active attack as it could be only a matter of minutes before the cyber criminal extracts all the targeted data or deploys a ransomware payload that will corrupt systems to hide their tracks, and cause significant damage.

Incidents will happen. But how do you typically find out?

We know accidents do happen. With cyber threats it is a matter of when and not if you are going to be impacted by a cyber-attack. Some of these are within your control and some are not, so it is important to be prepared to respond correctly when you do become a victim.

Here are some common ways you may find out that you are the victim of a cyber-attack:

The Cyber Criminal will contact you

Yes, sometimes the cyber criminal will be bold enough to contact you to extract money. This is typically the consequence of sensitive data being stolen, which is followed by a ransom demand to prevent the cyber criminal from publicly disclosing or selling it to another criminal to abuse. The data could be sensitive customer information, intellectual property, trade secrets, source code, potential illegal activity or financial results, all of which could be very damaging for your organization, both reputational and financial. Often, when the cyber criminal contacts you it is very likely that you are dealing with cross-border international cyber-crime.

Law Enforcement will notify you

Well, sometimes you maybe not be looking for a data breach in the hopes that your old firewalls and antivirus are doing an effective job—until you are contacted by law enforcement telling you that they have found your data exposed on the dark net, or that it resulted from a different cyber crime activity wherein they discovered several other victims’ sensitive data.

3rd Parties, like your bank, partners or customers will alert you

This typically happens when a bank identifies potentially fraudulent activities from credit cards. The data is then correlated to common factors which might point to a retail company that has likely been compromised, and cyber criminals are stealing credit card details, sometimes via skimming them from PoS (Point of Sale) terminals. Other reasons that 3rd parties might notify you is that they start receiving suspicious activity that is pretending to be your service, usually from cyber criminals compromising the supply chain in an attempt to gain access to a bigger organization. This usually means you may not be the primary target of the cyber-crime, but a secondary victim or a stepping stone to a bigger cyber-attack. In some incidents it might be found that your organization could be compromised and carrying out cyber-attacks against other organizations. This is very common in Educational Institutes where weak security or no security is applied.

Ethical Hackers and Security Researchers—your security friends—will figure it out for you

Not all hackers are bad. Yes, many are doing good work, ethically, to help you. I refer to them as ethical hackers, just like me. Sometimes an ethical hacker, while performing research or responding to other incidents, will find other victims as well and feel they have a responsibility to notify them. Unfortunately, during past events some victims have not responded well to such incidents, preferring to criminalize the ethical hacker, which makes this a difficult relationship but hopefully one which will improve in the future. While ethical hackers expose your security flaws they are doing it respectfully, to help you, and it’s certainly a better option than a cyber criminal finding your vulnerability and exploiting it.

Hurray you found it yourself. Threat hunting does work!

On rare occasions an organization will detect a security incident before any major damage has been caused. This could be thanks to internal skilled cyber security experts or engagement with consultants performing threat hunting techniques. This is the better scenario as sometimes the threat can be identified early enough to reduce potential damage to systems or a data breach. All organizations should be looking for security incidents rather than waiting to find out from the alternatives.

Systems are down. 404 Page Not Found

This is one where the entire organization finds out quickly—it means you just got hit with a destructive cyber-attack, either via a DDoS (Distributed Denial of Service) attack or ransomware, and your systems are either offline, corrupted, or service is limited. In most scenarios cyber criminals prefer to stay hidden and get away from with the crime before you even know anything about it. However, some less skilled cyber criminals will try and make a quick buck, and ransomware is one way.

Or, you have simply just not found it yet

That’s right. You have not been looking hard enough or you failed to deploy effective solutions to help identity the data breach. If you are being entrusted with sensitive data and not following security best practices, then this is one which will not end well for you. You should be taking a proactive approach.

Employees are on the front line. Empower your whole team!

Employees are the front line in the battle to keep your information secure. Attacks rely on your goodwill and trust to succeed, so you must become more personally responsible in how you manage your information, and this can be tiring.

Empower your employees to be strong players in your cyber security battles. They can be a vital part of your indicator of compromise as, we now know, most threats and attacks usually start via a simple email. Employees should be taught how to identify cyber threats so they are part of your early indicator of a potential cyber-attack, either targeted or an attack of opportunity. Cyber-educated employees reduce your risk of a data breach—period.

Data Classification and Access Audits. What is important, and who has access?

Perform a complete Data Impact Assessment and ensure that access to sensitive data comes with full access audits. I recommend performing a data classification after an impact assessment to identify data that is more sensitive. I have used a similar process to Data Center Classification that identifies the data in relation to its importance, and aligned it with the CIA Triad to determine what is important to the data: is it availability, integrity or confidentiality? By classifying the data, you can then align it to security and access controls to ensure adequate security is applied and the risk is reduced.

A data classification and access audit helps ensure that during an incident the scope of the incident and potential risks are quickly identified so the appropriate response can be coordinated.

YOUR CYBER INCIDENT RESPONSE PLAN CHECKLIST

It’s important to methodically plan and prepare for a cyber security incident. You do not want to be doing this in the middle of an active incident because if you’re not coordinated everything can go downhill fast. So, let’s ensure that you have taken the important steps to prepare for an incident. The better you are prepared the less impact the incident will have and the quicker you will get back to business.

Let’s go through my incident response checklist a step at a time:

1.OWNERSHIP AND RESPONSIBILITY – When putting an incident response plan in place you must first decide who will be responsible for it. Have a clear idea as to who has been trained, what tools and technology are available to manage the incident, and how much time could be needed for incident response. Part of this responsibility includes involving your business executives and ensuring they too are trained and prepared for their roles during a cyber incident. Keeping the plan updated and current is also vital.

As your business evolves your incident response plan must evolve along with it to stay aligned with your business priorities. An out-dated incident response plan could create more problems than it solves. Executive approval and buy-in is critical to success, so the plan must have full approval from the top of the organization. This is also a good time to work on incident response simulations and role play exercises.

2.ROLES AND CONTACTS – Everyone who would or could be involved in incident response, whether it’s the Executive Team, Public Relations, Legal, Technical, Finance, HR or Customer Support teams, must have clearly defined roles. They must all know how they will be impacted during a cyber-attack incident, and what will be expected of them. Does everyone know what to do if the cyber incident becomes public? You may have all your customers trying to call at once and your help-desk might get overwhelmed, causing a DDoS attack on your help-desk. So it is essential you understand the capabilities of your help-desk for when incidents occur.

3.COMMUNICATION METHODSAND CONTACT LIST – Keep in mind that during an incident traditional means of communications, like email or VOIP, may not be available. So contact details and an alternative means of communicating must be available during the attack in case traditional methods are not. During the incident, who needs to be notified and in what order of priority? A contact list must be available online and offline, and should include both the System Owners and Technical Responders.

4.THE INCIDENT – Clearly record how the incident was identified. Was it internal, external, a system alert, or one of the methods described previously? Who discovered it, and how was the incident reported? List all the sources and times that the incident has passed through. At which stage did the security team get involved? Record the entire nature of the incident from the original source, type of incident, assets impacted, location and scope. Based on the data and system classification, identify the impact to your business so you can determine the appropriate security measures to take next. It is very important that you document each step performed during the incident.

*PAM TIP: Using a Privileged Access Management solution enables you to quickly audit which privileged accounts have been used recently, whether any passwords have been changed and what applications have been executed. It is also good practice to take a snapshot of the audit logs. You may have already prepared privileged accounts that are used explicitly for incident response. If so, make them available to the technical and security teams to quickly access and monitor systems.

5.IDENTIFICATION AND CONFIRMATION – If, at this stage, the incident has not yet been confirmed, you must identify the type of incident and confirm that it is in fact a real incident.

*PAM TIP: Using a Privileged Access Management solution you can quickly identify abnormal behavior of privileged accounts and determine if they have been abused by an attacker. You can then compare previous privileged account usage against current usage.

6.CONTAINMENT – This typically means stopping the threat to prevent any further damage. Once the incident has been identified and confirmed, based on whether it is an active breach or not, you must decide if it’s safe to watch and learn, or immediately contain the threat (pull the plug). Use the Indicators of Compromise (IoC) to help determine the scope of the affected systems, update any firewalls and network security to capture evidence that can be used later for forensics. Figure out if any sensitive data has been stolen and, if so, what the potential risk might be to your business. During this stage try anticipate any potential legal outcomes. Engage the Legal Team and examine Compliance and Risks to see if the incident impacts any regulations. Should your service remain available if a risk is exposed or should it be shut down until the risk is eliminated? Contact law enforcement if applicable as the incident may also impact other organizations, and additional intelligence on the incident may help eradicate, identify the scope, or assist with attribution.

During the containment you may also need to report the incident to the appropriate authorities depending on country, industry or sensitivity of the data. It may require notifying impacted parties including partners and customers in a certain time frame. This is why it is important to have prepared Public Relations Statements.

*PAM TIP: A Privileged Access Management solution can enable you to restrict access to sensitive systems, require additional approval processes, force multi-factor authentication for privileged accounts and quickly rotate all passwords to prevent further access by the attackers, and aiding with the containment of an incident. You might also want to increase the security controls sensitivity and enforce application whitelisting to prevent malicious malware from being distributed by the attacker.

7.ERADICATION – Restore the systems to pre-incident state. Collect as much evidence as possible and maintain a solid chain of custody. Gather logs, memory dumps, audits, network traffic and disk images. Without proper evidence gathering, digital forensics is limited so a follow-up investigation will not occur. Eliminate the security risk to ensure the attacker cannot regain access. This includes patching systems, closing network access and resetting passwords of compromised accounts. During the eradication step create a root cause identification to help determine the attack path used so that security controls can be improved to prevent similar attacks in the future. You may want to perform a vulnerability analysis to check whether any other vulnerabilities may exist.

*PAM TIP: A privileged access management solution can help compare a baseline to before and after the incident so you can quickly determine which privileged accounts might be malicious and audit the life-cycle. This is a good way to guarantee you can recover and maintain integrity of privileged accounts.

RECOVERY – You will need to recover from the incident and ensure systems integrity, availability and confidentiality is regained. Make sure your services have recovered and the business is back to normal operations. Implement monitoring and continuous detection on the Indicators of Compromise collected during the incident.

*PAM TIP: Monitor all audits and activity for privileged accounts to determine that they are back to normal expected usage. You might also want to run in a higher security control sensitivity for a period of time.

LESSONS LEARNED – It is important to learn what went well and what did not go well during an incident to plan how it can be improved in the future Write up an Incident Response Report and include all areas of the business that were affected by the incident. Was management satisfied with the response, and does the business need to invest further in people, training or technology to help improve your security stature?

*PAM TIP: During the lessons learned you can review how Privileged Access Management enabled effective incident response, areas on continuous improvement and how to leverage Privileged Access Controls in the future.

It’s not a matter of IF, but WHEN you will become a victim

An Incident Response Plan is essential. It is not a matter of if, but when you will become a victim

An incident is not something that every organization wants to experience but the fact is, with an ever increasing cyber-attack threat landscape, it is becoming more and more likely that your organization will become a victim of cyber-crime. How prepared you are will determine the overall impact on your business, so have a solid Incident Response Plan in place to help you do everything possible to reduce the potential impact and risks.

Get breach-ready now and fast track your incident response readiness by downloading these free resources from Thycotic:

Joseph Carson

Joseph Carson has over 25 years' experience in enterprise security, is the author of "Privileged Account Management for Dummies" and "Cybersecurity for Dummies", and is a cyber security professional and ethical hacker. Joseph is a cyber security advisor to several governments, critical infrastructure, financial and transportation industries, speaking at conferences globally. Joseph serves as the Chief Security Scientist at Thycotic.